Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Trojan-spy.html.smitfraud.c [RESOLVED]

cryptopsy

Posted 03 July 2005 - 05:02 AM

cryptopsy

Member

Member

23 posts

Hi, a couple of days ago my computer got infected with this trojan. I have gone through the required steps before posting my hijackthis log. By using the various spyware/adware tools i have now reset my homepage to its usual one, and the background, appearance and effects tabs are available again under my display properties so i can set my desktop wallpaper via the usual way. I am still receiving popups though, like i was after i first got infected with the trojan. Your help in getting rid off these annoying popups and making sure my computer is clean would be greatly appreciated . My hijackthis log is as follows:

rambro

Posted 17 July 2005 - 04:37 PM

rambro

Member 1K

Member

1,383 posts

Dear cryptopsy,

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.******************************

Click Start then Control Panel then Add and Remove Programs. Look for the following installed program/programs and if they are listed click on each one and then click on the Remove or Change button and if asked select "Yes" or "Ok" to remove:

NewDotNet is an ad supported software. The application is running silently in the background as a browser helper object (BHO). It pops up ad windows while you are surfing the web and periodically connects to the remote server to check for available updates.

new.net was originally designed to shorten web addresses. They created some new virtual top level domains like .mp3, .xxx, .travel which can only be visited on computers with the new.net addons installed.

The software is mostly bundled with other software products like file sharing tools or other ad supported freeware tools.

NewDotNet is a browser hijacker and can update itself without any input from you. Anything that modifies your windows HOSTS file is a hijacker and we don't want it! The "purpose" of this is to add support for additional domains like .AGENT .INC .LOVE .SHOP .SPORT. We suggest you remove this.

Please run the Housecall online virus scan located at: http://housecall.tre.../start_corp.asp. Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system. When the scan is finished, please restart your computer.

Please download SpSeHjfix, version 1.09, for Windows 95/98*admin from here: http://www.derbilk.d...Hjfix_Beta9.zip. Unzip it to the desktop and run it. Click "Start Disinfection" and follow the prompts. Your computer may restart. Then please post the SpSeHjfix.log file in a reply to this post.

Restart your computer**************************

Run HijackThis and click "Scan." Place checks next to the following entries (if they exist):

Close all browser and other windows except for HijackThis, and click "Fix Checked" button to finish the repair. Close the HijackThis application.

Please reboot your computer into Safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.co.../safemode.shtml

Next, make sure your PC is configured to show hidden files. Here is how to do this:

cryptopsy

Posted 18 July 2005 - 09:34 PM

cryptopsy

Member

Topic Starter

Member

23 posts

Thank you for replying to my post. I actually now have a lot more problems than before, but i do not know how it happened .

In response to your first question, i am running AntiVir Personal Edition virus software and my definitions when i posted my first post were probably about a month old. After reading your second post, i updated my virus defintions and did a virus scan before commencing with your instructions.

After my original post a couple of weeks ago, my computer was running quite good with no ad pop-ups. I was following your instructions to try and fully clean my computer and was up to doing the housecall online virus scan. While setting up to do this virus scan, my internet explorer came up with an illegal operation message which forced the page to close. On repeated attempts to do this virus scan, i continued to get the illegal operation message. I then stopped using my computer and shut it down. The next day (today), i turned on my computer, and when i tried to start internet explorer i got the following message:

I continue to get this message even now. I then tried to open AdAware, Spybot and Cleanup programmes, but i couldn't due to receiving the following message:

A required DLL file C:\Windows\System\WININET.DLL was not found.

Due to not being able to access internet explorer, i installed Netscape 7.0 off a cd i had so that i could browse the internet. I am now in a far worse position than before and wish i had not done anything. Please help!!!

cryptopsy

Posted 18 July 2005 - 11:56 PM

cryptopsy

Member

Topic Starter

Member

23 posts

Thanks for responding quickly. After running the system file checker it came up with 2 corrupted files which were user.exe and setupx.dll, however when prompted to restore the original files, i have no clue where the original files are. My internet explorer still is not opening as before, and i cannot open Cleanup, Adaware and Spybot. Any ideas?

cryptopsy

Posted 19 July 2005 - 12:23 AM

cryptopsy

Member

Topic Starter

Member

23 posts

Ok, sorry if i sounded a bit stupid in my last post, i have since then tried to do more. I manually entered the file wininet.dll to restore and put in my Windows Cd, and it was on there. The System file checker restored the file successfully, and afterwards i could open spybot, cleanup and adaware again without the error message coming up. However, after restoring wininet.dll, i still could not enter internet explorer as it then came up with the message:

Upon restarting my computer, noticed in the start up screens that it said:

c: \>attrib -s -h -r c:windows\system\wininet.dll

c: \>del c:windows\system\wininet.dll

I then tried to open cleanup, adaware and spybot and could not and got the same error message again. Upon trying to enter internet explorer i got the old error message about urlmon.dll. I then looked under my system files to find wininet.dll deleted as per the command prompt in the start up screens.

I repeated trying to restore wininet.dll with the same results. My cleanup programmes able to be opened but then after restarting my computer, wininet.dll being deleted again so that they could not be opened.

rambro

Posted 19 July 2005 - 10:26 AM

I was looking over the last two posts you sent me. The following files: wininet.dll, user.exe and setupx.dll are located in the following path on your computer: C:\windows\system.

Run the system file checker for windows 98 (from the article I gave you) and restore the files from your windows CD ROM and place these files in (i.e. save file in) this directory on you computer: C:\windows\system.

Dear cryptopsy, you will want to extract these files from your windows 98 cd and place them into the "C:\windows\system" directory. The corrupted files (user.exe and setupx.dll) should have automatically been placed in the C\windows\sytem directory, if you followed the first part of that article I sent you.

Their is a possibility, that the viruses on your computer are deleting the "wininet.dll" file on your computer. So make sure you download and run trojan hunter, to check for the trojans on your computer. Also the following line:

represents a major virus on your pc. Make sure you download and run the SpSeHjfix, version 1.09, for Windows 95/98*admin that I gave you.

Dear cryptosy, don't be too fixated on getting that wininet.dll file back on your computer. Just let us fix the major viruses on your computer first.

Note: In order for the Housecall scan and the Panda Scan to operate properly you have to get Internet Explorer running properly, so if the IE browser is not running, skip those steps for now.

You also need to uninstall the NewDotNet application and your Tetris 2000 application. You also need to fix the lines in HJT and perform the file/directory deletions in my second post to you.

This is what you should do, try running the system file checker for window 98 again, restore the files from your windows 98 CD Rom to your computer (i.e c:windows\system directory) to replace the corrupted files it found. Next try restoring that "wininet.dll" from your windows 98 CD Rom. If the "wininet.dll file gets deleted again and your IE explorer still does not work, skip the steps for running Housecall and the Panda Scans, and execute all the rest of the steps in the second post, I sent you. Restart your computer and post a new HijackThis log.

We can always fix your Internet Explorer problem at a later date, but we should start working on getting those viruses off your computer.

If your IE browser, still does not work, try reinstalling over it again with a new Internet Explorer download. Here is the link to download Internet Explorer: http://www.microsoft...&DisplayLang=en

cryptopsy

Posted 19 July 2005 - 10:02 PM

cryptopsy

Member

Topic Starter

Member

23 posts

Ok, i managed to successfully restore the files user.exe and setupx.dll. When i restored wininet.dll the same thing happened as last time. It was successfully restored and it enabled me to enter the various cleanup programmes but when i restarted the computer, the wininet.dll file was deleted. I then ran trojan hunter which found no trojans and i restarted my computer. I then tried to run the SpSeHjfix but couldn't as i got the following message:

"A required DLL file, MSVBVM60.DLL wasn't found".

I then tried to run hijackthis and couldn't due to getting the same message.

cryptopsy

Posted 19 July 2005 - 11:57 PM

cryptopsy

Member

Topic Starter

Member

23 posts

I was looking over some related posts on msvbvm60.dll and went to the microsoft website to download visual basic 6.0 runtime files like one of the geekstogo staff members said. After installing these files msvbvm60.dll was installed on my computer and has stayed there after reboots allowing me to run SpSeHjfix and Hijackthis. I then followed your instructions and deleted the appropriate files. I then rebooted in safe mode to search for the extra files you indicated. I then restarted my computer again in normal mode and i still cannot enter adaware, spybot and cleanup without restoring wininet.dll, and then upon rebooting can not enter these programmes without going through the same process. I am still having the same problem entering internet explorer as before.

Advertisements

rambro

Posted 20 July 2005 - 09:06 AM

rambro

Member 1K

Member

1,383 posts

Dear cryptopsy,

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.******************************

Click Start then Control Panel then Add and Remove Programs. Look for the following installed program/programs and if they are listed click on each one and then click on the Remove or Change button and if asked select "Yes" or "Ok" to remove:

Close all browser and other windows except for HijackThis, and click "Fix Checked" button to finish the repair. Close the HijackThis application.

Please reboot your computer into Safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.co.../safemode.shtml

Next, make sure your PC is configured to show hidden files. Here is how to do this:

rambro

Posted 20 July 2005 - 09:08 AM

(Note: Do the following steps in this post after performing the steps in the previous post I sent you.)

I would like you to download a number of programs to your computer that will check for bad, hidden, files that the HijackThis program may not recognize.

Please download SilentRunners from here: http://www.silentrun...ent Runners.zip. Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile in a reply to this post.

Please download the free MWAV antivirus tool from here: ftp://ftp.microworldsystems.com/download/tools/mwav.exe. Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window in a reply to this post.

Please restart your computer and then post a new HijackThis log, along with the log from the SilentRunners application and the log from the MWAV antivirus tool application.

In addition, let me know in detail how your computer system is running after performing the above steps.

cryptopsy

Posted 21 July 2005 - 12:03 AM

cryptopsy

Member

Topic Starter

Member

23 posts

Thank you again for responding quickly. Firstly, i followed the instructions of your first post and did the required things with no problems. I then downloaded Silent Runners but could not use it due to getting the following message:

I then skipped that and downloaded the MWAV virus tool. After restarting my computer, it was having the same problems as before. I couldn't access Cleanup, Adaware and Spybot due to receiving the following message:

A required DLL file C:\Windows\System\WININET.DLL was not found

I then tried to open internet explorer and got the same error message as before:

I then tried restoring wininet.dll and it said it restored successfully like previous attempts. However this time, i COULD enter and use internet explorer with no problems, without receiving the 2nd error message that i had previously been receiving of:

Upon restarting my computer, i noticed the command prompt to delete wininet.dll in the startup screens, and i was back to receiving the error messages when trying to enter internet explorer and the various cleanup programmes.

Due to not being able to use Silentrunners i obviously have no log for that.

cryptopsy

Posted 21 July 2005 - 03:53 AM

cryptopsy

Member

Topic Starter

Member

23 posts

Don't know whether this matters but extra info can't harm anything. I restarted my computer and restored wininet.dll as per usual to see if internet explorer was still working upon restoration of the file. Internet explorer was up and running again like i said in my last post, however this time if i searched for an address in the address bar or clicked on one of my favourite's nothing happened. It loaded my homepage www.yahoo.com fine and it allowed me to search within yahoo or click on a link from yahoo.com. It also allowed me to open up external pages which were results from a yahoo search. However if i right clicked a link and said open in new window, it would open up a blank page with nothing on it. I restarted my computer several times and repeated this process with the same results.

Also, something i have not mentioned yet to do with outlook express which i noticed yesterday when trying to use it. Even before i restored wininet.dll i could still open outlook express and receive and send messages. However after clicking on a message or two in my inbox it would say the following error message similar to internet explorer:

rambro

Posted 21 July 2005 - 09:15 AM

rambro

Member 1K

Member

1,383 posts

Dear cryptopsy,

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.******************************

Please download the Killbox. Unzip it to the desktop but do NOT run it yet.

Please reboot your computer into Safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.co.../safemode.shtml*****************************************************

1) Once in Safe Mode, please run Killbox.

2)In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

3) Select "Delete on Reboot".

4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Now you will see, this is pasted in the "Full Path of File to Delete" field. There's a little arrow (dropdown-arrow) next to that field. If you expand it, these lines must be there together!

As a double check, see if some of the above files were in fact deleted and let me know if they were deleted.*************************************************

Let me know in detail, in a reply to this post, if you could run Cleanup, Adaware, Spybot, SilentRunners and the MWAV antivirus tool application.Let me know, if you are still having a problem with the wininet.dll file, that is, if it is still being deleted on reboot.Let me know, if your Internet Explorer browser is functioning correctly.

Please restart your computer and then post a new HijackThis log, along with the log from the SilentRunners application and the log from the MWAV antivirus tool application.

In addition, let me know in detail how your computer system is running after performing the above steps.